DPDP rules: Centre may compress transition timeline for large firms
The existing adherence of large companies and major tech firms to stringent data protection standards in other markets has prompted discussions on accelerating the implementation of the new DPDP rules in India.
The Digital Personal Data Protection (DPDP) rules currently grant an 18-month transition period for companies. However, this timeline may be "compressed" for large firms as the government engages with industry stakeholders.
Large companies and major tech firms already adhere to stringent data protection standards in other markets, such as the European Union’s General Data Protection Regulation (GDPR). This fact has prompted discussions about accelerating the implementation of the new DPDP rules in India.
Rationale and government stance
Addressing the rationale for the 18-month timeline—especially when many large companies already comply with stringent norms elsewhere—IT Minister Ashwini Vaishnaw confirmed the government is in ongoing discussions with the industry.
Vaishnaw stated: "We have been discussing with industry... the first set of rules have been published, and this gives a reasonable timeframe, depending on what the industry's ask was and what our thrust was".
He elaborated on the push for faster compliance:
"But we are also in touch with the industry to further compress the time required for compliance because... exactly the same argument we have given to the industry: that you already have a compliance framework which is existing in other geographies... why can't you replicate [it]"?
The Minister added that the industry has been "quite positive" in these discussions. He indicated that once the Data Protection Board is established and the complete digital framework is rolled out, "we will have further amendments in rules so that we can compress the timelines".
Staggered implementation of DPDP rules
The DPDP rules, which operationalise the primary legislation, come into effect through a staggered timeline that allows companies 18 months to shift to the new regime.
The implementation is phased as follows:
- Immediate Effect: New rules about the Data Protection Board, which is in charge of making sure people follow data protection laws, dealing with complaints, and ensuring everything is compliant, will start right away.
- 12 Months: The consent manager framework activates.
- 18 Months: Compliance obligations, including user consent notices, security safeguards, data rights, and breach notifications, apply.
The rules are in place to safeguard people's rights and set clear guidelines for organisations that collect and use personal information. Vaishnaw emphasised the significance of the new rules:
"Data protection rules will be a major change in the way our citizen's data and privacy is protected by the digital ecosystem. The rules are in a simple language, highly focused on implementation. We have considered all inputs from industry and citizen groups".
Broader digital framework
The Minister asserted that India is prioritising the creation of a new legal framework tailored for the digital world. This regulatory and legal structure is deemed essential for protecting society from challenges like disinformation and deepfakes.
Emphasising the need for a broader scope, Vaishnaw concluded: "The way digital technologies and new opportunities are coming up, protecting the interest of citizens and the coming generations is of utmost importance".
ALSO READ: Nothing Phone 3a Lite India launch date confirmed: What to expect